Technical Snapshot

• Multi-stage hybrid static analysis scans both source code and binary files to identify vulnerabilities across the entire application stack.
• Software composition analysis identifies vulnerable software components used by the application.
• Automatically remediate vulnerabilities in source code using industry-standard libraries and practices.
• Provides Guided Update on vulnerable software components using real-time threat and compatibility intelligence.
• Finds and fixes application vulnerabilities in common standards such as OWASP Top 10, PCI-DSS, and CWE Top 25.
• Lucent Sky AVM is certified CWE-Compatible and integrates seamlessly with other developer and security tools.

Automatically remediates source code vulnerabilities

• Instant Fixes are available for most common source code vulnerabilities, such as SQL injection, cross-site scripting, and path traversal, resolving them immediately after a scan.
• If a vulnerability cannot be fixed automatically, a contextual suggestion is generated individually for that particular vulnerability — allowing developers to resolve it efficiently.
• Update guidance are generated for vulnerable software components using real-time threat and compatibility intelligence, helping developers to update them confidently.
• Instant Fixes, suggestions, and update guidance use industry-standard practices and security libraries such as ESAPI and WPL, and can also be customized to use an organization's own security libraries.

Code-based remediation

Most developers know how to prevent common vulnerabilities such as SQL injection, but struggle to actually remediate the thousands of vulnerabilities found in a large application.

Lucent Sky AVM works like a developer does to find and assess vulnerabilities and place "Instant Fixes" in code. It works just like a developer, but is capable of securing hundreds of vulnerabilities at a time.

1. Choosing the remediation mechanism
   Lucent Sky AVM follows industry standards and best practices to decide what remediation mechanisms to use, and where should they be placed. Some vulnerabilities might have multiple remediation mechanisms that are applicable, such as character-escaping and parameterized query for SQL injections. On the other hand, some vulnerabilities can be fixed by applying the same remediation mechanism at any of the applicable locations.


2. Preventing impact on functionalities and vulnerabilities
   Lucent Sky AVM uses contextual and intent-based information to understand the functionalities the developer was trying to achieve when the vulnerability was created, determine if the applicable remediation mechanisms and locations will cause impact on other functionalities and peer vulnerabilities. For example, if an user input is used to construct a SQL query and written to a log file, the log file will need to use the original value, while the SQL query will need to use the escaped value, or as a parameter.


3. Reducing the number of changes with efficient remediation
   Once applicable remediation mechanisms are generated for each vulnerability, Lucent Sky AVM conducts an application-wide cross-check to determine the most efficient remediation mechanism for each vulnerability, based on the potential impact on functionalities and performance. The most efficient remediation mechanism is then used to generate Instant Fix.

What is an Instant Fix?

Each Instant Fix is generated to remediate a specific vulnerability (and those linked to it) while preserving functionalities and performance. Below are two examples of Instant Fixes:

// CWE-79: Cross-site Scripting
var body = sqlDataReader.GetString(2);
Posts.Text += @"<div style=""margin-left: 30px;"">" + LucentSky.Security.Application.Masker.MaskPrivateInformation(LucentSky.Security.Application.Encoder.HtmlEncode(Body)) + @"</div>";

// CWE-89: SQL Injection
var userName = UserName.Text;
var password = Password.Text;
sqlCommand = New SqlCommand(@"INSERT INTO [User] ([UserName], [Password]) VALUES (@lucentsky_userName, @lucentsky_password)", SqlConnection); sqlCommand.Parameters.AddWithValue("@lucentsky_userName", userName); sqlCommand.Parameters.AddWithValue("@lucentsky_password", password);
                

// CWE-79: Cross-site Scripting
String eid = request.getParameter("eid");
out.println("Employee ID: " + org.lucentsky.security.application.Encoder.htmlEncode(eid));

// CWE-89: SQL Injection
String userName = getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
PreparedStatement statement = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = ?"; statement.setString(1, itemName);
ResultSet rs = statement.executeQuery();
rs.close();
                

Accessible how you want it, where you need it

• Deployment
  Lucent Sky AVM can be deployed in the cloud, in an on-premise server, or as a stand-alone appliance.
• Accessibility
  Lucent Sky AVM works with the dev environment you already use. It's accessible through a web interface, inside IDEs, by ALMs, or by integrating with using a CLI or API.
• Integration
  Lucent Sky AVM integrates with other application security and performance products, such as SAST, DAST, WAF, and APM.

Secure your code and see how it performs

Effortless setup

Lucent Sky AVM comes with built-in integration for common APM tools such as Azure Monitor and New Relic. Once linked, applications in Lucent Sky AVM will be mapped to their counterparts in APM tools.

Seamless views

Switch from the security view in Lucent Sky AVM to the performance view in APM with just one click.

Secure, high-performance applications

Performance and security are no longer trade-offs. Because the vulnerabilities are actually remediated in the source code, applications secured by Lucent Sky AVM perform as fast as their vulnerable counterparts. Unlike the performance penalty that come with WAF and RASP, Lucent Sky AVM can secure applications without adding overhead.

Leader in efficiency and automation